The Photon operating system must enforce password complexity on the root account.

An XCCDF Rule

Description

Password complexity rules must apply to all accounts on the system, including root. Without specifying the "enforce_for_root flag", "pam_cracklib" does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.

ID: SV-256579r991589_rule
Version: PHTN-30-000110
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Navigate to and open:

/etc/pam.d/system-password

Add the following, replacing any existing "pam_cracklib.so" line:
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 minclass=4 difok=4 retry=3 maxsequence=0 enforce_for_root

Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.

The Photon operating system must enforce password complexity on the root account.

Description

Remediation Templates

A Manual Procedure